Top

Published in:

2019 | OriginalPaper | Chapter

Evaluation and Application of Two Fuzzing Approaches for Security Testing of IoT Applications

Authors : Omar M. K. Alhawi, Alex Akinbi, Ali Dehghantanha

Published in: Handbook of Big Data and IoT Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The proliferation of Internet of Things (IoT) embedded with vulnerable software has raised serious doubts about security of IoT devices and networks. Enhancing fuzzing performance and efficiency to enable testing these software samples is a challenge. Fuzzing is an automated technique widely used to provide software quality assurance during testing to find flaws and bugs by providing random or invalid inputs to a computer software. However, the technique could take significant amount of time and effort to complete during the test phase of the software development lifecycle. Reducing the time required to fuzz a software will improve efficiency and productivity during the software testing phase to enable detailed analysis and fixing of bugs or flaws found in the computer program. There are a number of factors that influence the fuzzing technique, such as quality of test cases or invalid inputs used during the test and how these samples were collected or created. In this paper, we introduce a technique to leverage from the different crashes discovered from two fuzzing approaches to improve fuzzers by concentrating on utilised test cases. The code coverage is used as an efficiency metric to measure the test case on the tested software and to assess the quality of a given input. Different sample features were created and analysed to identify the most effective and efficient feature used as input for the fuzzer program to test the target software.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter A Cyber Kill Chain Based Analysis of Remote Access Trojans

next chapter Bibliometric Analysis on the Rise of Cloud Security

Test case should be similar to a real valid data, but it must have problem on it “anomalies”. E.g. To fuzz Microsoft office, a test case should be a word document or excel sheet (data sample), so, the mutated version generated of similar package called test case.

SMT solver is a tool adding equality reasoning, arithmetic, fixed-size bit-vectors, arrays, quantifiers and decide the satisfiability of formulas in these theories [39].

Samples which are accepted as an input to our research target.

Tool description can be found here: http://community.peachfuzzer.com/v2/Tools.html.

“instrument” used to refer to the extra piece of code added to a software. While sometimes it used to refer to the code doing the instrumentation itself.

C:\Users\Administrator\Desktop\peach-3.1.124-win-x86-debug\Logs\omar.xml_20171209205928\Faults.

https://github.com/Cr4sh/Code-coverage-analysis-tools …Code coverage analysis tools for PIN.

D. Kiwia, A. Dehghantanha, K.-K. R. Choo, and J. Slaughter, “A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence,” J. Comput. Sci., Nov. 2017.

Y.-Y. Teing, D. Ali, K. Choo, M. T. Abdullah, and Z. Muda, “Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a Case Study,” IEEE Trans. Sustain. Comput., pp. 1–1, 2017.

Y.-Y. Teing, A. Dehghantanha, K.-K. R. Choo, and L. T. Yang, “Forensic investigation of P2P cloud storage services and backbone for IoT networks: BitTorrent Sync as a case study,” Comput. Electr. Eng., vol. 58, pp. 350–363, Feb. 2017.

Y.-Y. Teing, A. Dehghantanha, and K.-K. R. Choo, “CloudMe forensics: A case of big data forensic investigation,” Concurr. Comput. Pract. Exp., p. e4277, Jul. 2017.

S. Homayoun, A. Dehghantanha, M. Ahmadzadeh, S. Hashemi, and R. Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence,” IEEE Trans. Emerg. Top. Comput., 2017.

H. H. Pajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “Intelligent OS X malware threat detection with code inspection,” J. Comput. Virol. Hacking Tech., 2017.

F. Norouzizadeh Dezfouli, A. Dehghantanha, B. Eterovic-Soric, and K.-K. R. Choo, “Investigating Social Networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google+ artefacts on Android and iOS platforms,” Aust. J. Forensic Sci., pp. 1–20, Aug. 2015.

O. Osanaiye, H. Cai, K.-K. R. Choo, A. Dehghantanha, Z. Xu, and M. Dlodlo, “Ensemble-based multi-filter feature selection method for DDoS detection in cloud computing,” Eurasip J. Wirel. Commun. Netw., vol. 2016, no. 1, 2016.

A. Shalaginov, S. Banin, A. Dehghantanha, and K. Franke, “Machine Learning Aided Static Malware Analysis: A Survey and Tutorial,” 2018, pp. 7–45.

10.

J. Baldwin and A. Dehghantanha, Leveraging support vector machine for opcode density based detection of crypto-ransomware, vol. 70. 2018.

11.

O. M. K. Alhawi, J. Baldwin, and A. Dehghantanha, Leveraging machine learning techniques for windows ransomware network traffic detection, vol. 70. 2018.

12.

S. Homayoun, M. Ahmadzadeh, S. Hashemi, A. Dehghantanha, and R. Khayami, “BoTShark: A Deep Learning Approach for Botnet Traffic Detection,” Springer, Cham, 2018, pp. 137–153.

13.

M. Petraityte, A. Dehghantanha, and G. Epiphaniou, “A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies,” Springer, Cham, 2018, pp. 219–237.

14.

M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of Things security and forensics: Challenges and opportunities,” Futur. Gener. Comput. Syst., vol. 78, pp. 544–546, Jan. 2018.

15.

M. Hopkins and A. Dehghantanha, “Exploit Kits: The production line of the Cybercrime economy?,” in 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec), 2015, pp. 23–27.

16.

H. Haddadpajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, “A Deep Recurrent Neural Network Based Approach for Internet of Things Malware Threat Hunting,” Futur. Gener. Comput. Syst., 2018.

17.

S. Watson and A. Dehghantanha, “Digital forensics: the missing piece of the Internet of Things promise,” Comput. Fraud Secur., vol. 2016, no. 6, pp. 5–8, Jun. 2016.

18.

A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning,” IEEE Trans. Sustain. Comput., pp. 1–1, 2018.

19.

N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, “Machine learning aided Android malware classification,” Comput. Electr. Eng., vol. 61, 2017.

20.

G. Epiphaniou, P. Karadimas, D. K. B. Ismail, H. Al-Khateeb, A. Dehghantanha, and K. R. Choo, “Non-Reciprocity Compensation Combined with Turbo Codes for Secret Key Generation in Vehicular Ad Hoc Social IoT Networks,” IEEE Internet Things J., 2017.

21.

H. Haddad Pajouh, R. Javidan, R. Khayami, D. Ali, and K.-K. R. Choo, “A Two-layer Dimension Reduction and Two-tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks,” IEEE Trans. Emerg. Top. Comput., pp. 1–1, 2016.

22.

G. Mcgraw, “Software security,” IEEE Secur. Priv. Mag., vol. 2, no. 2, pp. 80–83, Mar. 2004.

23.

A. Azmoodeh, A. Dehghantanha, M. Conti, and K.-K. R. Choo, “Detecting crypto-ransomware in IoT networks based on energy consumption footprint,” J. Ambient Intell. Humaniz. Comput., pp. 1–12, Aug. 2017.

24.

S. Walker-Roberts, M. Hammoudeh, and A. Dehghantanha, “A Systematic Review of the Availability and Efficacy of Countermeasures to Internal Threats in Healthcare Critical Infrastructure,” IEEE Access, 2018.

25.

A. Causevic, D. Sundmark, and S. Punnekkat, “An Industrial Survey on Contemporary Aspects of Software Testing,” in 2010 Third International Conference on Software Testing, Verification and Validation, 2010, pp. 393–401.

26.

P. Godefroid, M. Y. Levin, and D. Molnar, “Automated Whitebox Fuzz Testing,” 2008.

27.

& A. G. Michael Sutton, Adam Greene, “Fuzzing: Brute Force Vulnerability Discovery - Google Books.” 2007.

28.

Charlie Miller and Zachary N.J. Peterson, “Analysis of Mutation and Generation-Based Fuzzing,” 2007.

29.

John Neystadt, “Automated Penetration Testing with White-Box Fuzzing.” 2008.

30.

P. Godefroid, M. Y. Levin, and D. Molnar, “SAGE: Whitebox Fuzzing for Security Testing SAGE has had a remarkable impact at Microsoft. THE HIGH COST OF SECURITY BUGS A Sample JPG Image,” 2012.

31.

V. W. Cadar Cristian, Godefroid Patrice, Khurshid Sarfraz, Corina S. Pasareanu, Sen Koushik, Tillmann Nikolai, “Symbolic Execution for Software Testing in Practice – Preliminary Assessment,” 2011.

32.

A. Rebert, J. Foote, J. Org, D. Warren, and D. Brumley, “Optimizing Seed Selection for Fuzzing.”

33.

Microsoft, “Introduction to Instrumentation and Tracing.” 2013.

34.

P. Feiner, A. D. Brown, and A. Goel, “Comprehensive Kernel Instrumentation via Dynamic Binary Translation,” 2012.

35.

A. Takanen, J. DeMott, and C. Miller, “Fuzzing for Software Security Testing and Quality Assurance (Artech House Information Security and Privacy),” 2008.

36.

PeachTech, “Peach Fuzzer: Discover unknown vulnerabilities.”

37.

R. Luk, Chi-Keung, Cohn, Robert, Muth, G. Patil, Harish, Klauser, Artur, Lowney, and K. Vijay, Steven Wallace, Reddi, Janapa, Hazelwood, “Pin: Building Customized Program Analysis Tools with Dynamic Instrumentation,” 2005.

38.

J. S. Dave Weinstein, “The History of the !exploitable Crash Analyzer – Security Research & Defense.” 2009.

39.

L. de Moura and N. Bjørner, “Z3: An Efficient SMT Solver,” 2008, pp. 337–340.

Title: Evaluation and Application of Two Fuzzing Approaches for Security Testing of IoT Applications
Authors: Omar M. K. Alhawi
Alex Akinbi
Ali Dehghantanha
Publisher: Springer International Publishing
Book: Handbook of Big Data and IoT Security
Print ISBN: 978-3-030-10542-6

Electronic ISBN: 978-3-030-10543-3

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-10543-3_13

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner